Google revises Project Zero’s Disclosure Policy to help improve zero-day vulnerability fixes

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

Project Zero, Google’s dedicated team of security analysts, has made changes to its Disclosure Policy to help reduce the time it takes for vulnerabilities to get fixed. Henceforward the security group will not make the technical details of a vulnerability for 30 days if a vendor patches it before the 90-day or 7-day deadline. According to the group, the extra days aim at user patch adoption.

Google Project Zero’s revised policy says that if an issue remains unpatched after 90 days, technical details are made public immediately. If the fix is plugged within the 90-day timeframe, it will publish the details 30 days after the fix is released. The team also gives a 14-day grace period. If both parties agree, vulnerabilities can be disclosed earlier as well.

ALSO READ: IBM uncovers more attacks against Covid-19 vaccine supply chain

In the case of zero-day vulnerability actively exploited in the wild, Project Zero will make the technical details public immediately if the issue remains unpatched after seven days. If the vendor has patched the issue within the stipulated time, technical details will be published 30 days after the fix. Vendors also have the option to request an additional 3-days grace period. Earlier, Google Project Zero did not give any grace period and made the details public after seven days of reporting regardless of when the bug is fixed.

The full list of changes for 2021

The full list of changes for 2021 (Google)

According to the revised Disclosure Policy, Google aims to reduce the time between reporting a bug and a fix rolled out to users. The policy aims to ensure comprehensive fixes. It also hopes it will reduce the time between a patch rollout and users adoption.

ALSO READ: 97% of organisations faced mobile malware attack in 2020: Checkpoint report


“This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive. Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines,” Google Project Zero further said.